Date: Thu, 25 Feb 2010 15:10:03 +1100 From: "Scott, Brian" <brian.scott4@det.nsw.edu.au> To: =?iso-8859-1?Q?Gerrit_K=FChn?= <gerrit@pmp.uni-hannover.de>, <freebsd-stable@freebsd.org> Subject: RE: nss_ldap and multiple group memberships Message-ID: <B9FD027E84F6EE4783263F5393E72655011D4E23@ALF2.riverina.det.win> In-Reply-To: <B9FD027E84F6EE4783263F5393E72655011D4D8D@ALF2.riverina.det.win> References: <20100224112311.73ac53f6.gerrit@pmp.uni-hannover.de> <B9FD027E84F6EE4783263F5393E72655011D4D8D@ALF2.riverina.det.win>
next in thread | previous in thread | raw e-mail | index | archive | help
I hate people who contradict themselves with follow up emails. On this oc= casion however... Since writing my earlier email I've done some digging around. What I have= =20found is that nss_ldap can use uniqueMember attributes as an alternati= ve to memberUid attributes. The rub is that the standard structure for po= sixGroup doesn't allow combination with groupOfUniqueNames and groupOfUni= queNames isn't what it sounds like anyway, and uniqueMember is also not t= he attribute you should be using. However, if you were to tweak the schema for posixGroup to make it an aux= iliary class as per rfc2307bis (an expired proposal http://ietfreport.iso= c.org/idref/draft-howard-rfc2307bis/) and use a combination of posixGroup= =20and groupOfNames you could have member attributes (i.e. full Distingui= shed Names) as you member names. It looks like you may need to uncomment the line '#nss_map_attribute uniq= ueMember member' in your ldap.conf to then use the correct attribute name= . I haven't actually tried any of this but I might give it a try on a test = machine sometime in the next few weeks. I must say that I'm not a fan of = fiddling with a standard schema but the idea of using a single type of gr= oup (combined posixGroup/groupOfNames) for everything is extremely tempti= ng. Enjoy, Brian -----Original Message----- From: owner-freebsd-stable@freebsd.org [mailto:owner-freebsd-stable@freeb= sd.org] On Behalf Of Scott, Brian Sent: Thursday, 25 February 2010 11:18 AM To: Gerrit K=FChn; freebsd-stable@freebsd.org Subject: RE: nss_ldap and multiple group memberships It depends on the type of group. There are at least two types of group ob= jects that you can use in LDAP but only one of them works. You need to us= e posixGroup objects for unix groups. As I remember it, these have member= Uid attributes for the member ids. These are simple unix identifiers. gro= upOfNames objects on the other hand have full distinguished names with 'm= ember' attributes and can't be used by nss_ldap. The idea is that posixGroup and posixAccount mimic the unix files so extr= action of the data is fast. If the software used a groupOfNames object th= en the returned member names would need to queried as additional transact= ions to find the uid's of those entries that had posixAccount information= . This is because the original authentication was done by pam_ldap and th= at just returned a UID to the system. If it returned the LDAP distinguish= ed name to the system, and if that could then be passed into nss_ldap it = would be possible to do the LDAP query in a single transaction. But then = that all breaks down if you authenticate with something else like GSSAPI.= =20If that was the case you would need to first search for the posixAccou= nt object of the authenticated user (&(objectClass=3DposixAccount)(uid=3D= 1001)) and then search for all the group of names containing that disting= uished name (&(objectClass=3DgroupOfNames)(member=3Duid=3Dbscott,ou=3DPeo= ple,dc=3Dnetlab,dc=3Dalbury,dc=3Dtafe)). That's two transactions and seem= s unnecessarily wasteful. Mind you, if it was an option I'd probably turn= =20it on. Brian -----Original Message----- From: owner-freebsd-stable@freebsd.org [mailto:owner-freebsd-stable@freeb= sd.org] On Behalf Of Gerrit K=FChn Sent: Wednesday, 24 February 2010 9:23 PM To: freebsd-stable@freebsd.org Subject: nss_ldap and multiple group memberships Hi all, Is anyone here using nss_ldap and can successfully get it to work with mu= ltiple group memberships? I would really like to get this to work here, b= ut I only get the primary group: penumbra# id gekueh uid=3D1030(gekueh) gid=3D1012(aei) groups=3D1012(aei) getent group comes up with the complete group list. ldapsearch reports th= ree groups with member:-lines for my user. Somehow nss does not pick this= =20up. Any ideas? cu =20 Gerrit _______________________________________________ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"= ********************************************************************** This message is intended for the addressee named and may contain privileged information or confidential information or both. If you are not the intended recipient please delete it and notify the sender. ********************************************************************** _______________________________________________ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"= ********************************************************************** This message is intended for the addressee named and may contain privileged information or confidential information or both. If you are not the intended recipient please delete it and notify the sender. **********************************************************************
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?B9FD027E84F6EE4783263F5393E72655011D4E23>